Post by Bob BeckHi,I am attempting to run auditd in centos7 inside a lxc container.

It can run inside a container only as an aggregating server. Meaning that itcannot audit the host system, but rather collect logs from remote systems. Todo this, set local_events = no. This was added in audit-2.5.2.

Post by Bob BeckHere is the log I get when I run auditd -fconfig file /etc/audit/auditd.conf opened for parsinglog_file_parser called with: /var/log/audit.loglog_format_parser called with: RAWlog_group_parser called with: rootpriority_boost_parser called with: 4flush_parser called with: INCREMENTALfreq_parser called with: 20num_logs_parser called with: 5qos_parser called with: lossydispatch_parser called with: /usr/sbin/audispdname_format_parser called with: NONEmax_log_size_parser called with: 6max_log_size_action_parser called with: ROTATEspace_left_parser called with: 75space_action_parser called with: SYSLOGaction_mail_acct_parser called with: rootadmin_space_left_parser called with: 50admin_space_left_action_parser called with: SUSPENDdisk_full_action_parser called with: SUSPENDdisk_error_action_parser called with: SUSPENDtcp_listen_queue_parser called with: 5tcp_max_per_addr_parser called with: 1tcp_client_max_idle_parser called with: 0enable_krb5_parser called with: noGSSAPI support is not enabled, ignoring value at line 30krb5_principal_parser called with: auditdGSSAPI support is not enabled, ignoring value at line 31Started dispatcher: /usr/sbin/audispd pid: 3028type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=successconfig_manager init completeError sending status request (Connection refused)Error sending enable request (Connection refused)type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enableauid=4294967295 pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_tres=failedUnable to set initial audit startup state to 'enable', exitingThe audit daemon is exiting.Error setting audit daemon pid (Connection refused)

Yep. That is what you get when trying to audit the host from a unprivilegedcontainer. Container support in the kernel is still an ongoing project.

Post by Bob BeckHi,I am attempting to run auditd in centos7 inside a lxc container.

It can run inside a container only as an aggregating server. Meaning that itcannot audit the host system, but rather collect logs from remote systems.To do this, set local_events = no. This was added in audit-2.5.2.

Post by Bob BeckHere is the log I get when I run auditd -fconfig file /etc/audit/auditd.conf opened for parsinglog_file_parser called with: /var/log/audit.loglog_format_parser called with: RAWlog_group_parser called with: rootpriority_boost_parser called with: 4flush_parser called with: INCREMENTALfreq_parser called with: 20num_logs_parser called with: 5qos_parser called with: lossydispatch_parser called with: /usr/sbin/audispdname_format_parser called with: NONEmax_log_size_parser called with: 6max_log_size_action_parser called with: ROTATEspace_left_parser called with: 75space_action_parser called with: SYSLOGaction_mail_acct_parser called with: rootadmin_space_left_parser called with: 50admin_space_left_action_parser called with: SUSPENDdisk_full_action_parser called with: SUSPENDdisk_error_action_parser called with: SUSPENDtcp_listen_queue_parser called with: 5tcp_max_per_addr_parser called with: 1tcp_client_max_idle_parser called with: 0enable_krb5_parser called with: noGSSAPI support is not enabled, ignoring value at line 30krb5_principal_parser called with: auditdGSSAPI support is not enabled, ignoring value at line 31Started dispatcher: /usr/sbin/audispd pid: 3028type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_tres=successconfig_manager init completeError sending status request (Connection refused)Error sending enable request (Connection refused)type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enableauid=4294967295 pid=3026 uid=0 ses=4294967295subj=system_u:system_r:init_t res=failedUnable to set initial audit startup state to 'enable', exitingThe audit daemon is exiting.Error setting audit daemon pid (Connection refused)

Yep. That is what you get when trying to audit the host from a unprivilegedcontainer. Container support in the kernel is still an ongoing project.

Post by Bob BeckHi,I am attempting to run auditd in centos7 inside a lxc container.

It can run inside a container only as an aggregating server. Meaning that itcannot audit the host system, but rather collect logs from remote systems.To do this, set local_events = no. This was added in audit-2.5.2.

Post by Bob BeckHere is the log I get when I run auditd -fconfig file /etc/audit/auditd.conf opened for parsinglog_file_parser called with: /var/log/audit.loglog_format_parser called with: RAWlog_group_parser called with: rootpriority_boost_parser called with: 4flush_parser called with: INCREMENTALfreq_parser called with: 20num_logs_parser called with: 5qos_parser called with: lossydispatch_parser called with: /usr/sbin/audispdname_format_parser called with: NONEmax_log_size_parser called with: 6max_log_size_action_parser called with: ROTATEspace_left_parser called with: 75space_action_parser called with: SYSLOGaction_mail_acct_parser called with: rootadmin_space_left_parser called with: 50admin_space_left_action_parser called with: SUSPENDdisk_full_action_parser called with: SUSPENDdisk_error_action_parser called with: SUSPENDtcp_listen_queue_parser called with: 5tcp_max_per_addr_parser called with: 1tcp_client_max_idle_parser called with: 0enable_krb5_parser called with: noGSSAPI support is not enabled, ignoring value at line 30krb5_principal_parser called with: auditdGSSAPI support is not enabled, ignoring value at line 31Started dispatcher: /usr/sbin/audispd pid: 3028type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_tres=successconfig_manager init completeError sending status request (Connection refused)Error sending enable request (Connection refused)type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enableauid=4294967295 pid=3026 uid=0 ses=4294967295subj=system_u:system_r:init_t res=failedUnable to set initial audit startup state to 'enable', exitingThe audit daemon is exiting.Error setting audit daemon pid (Connection refused)

Yep. That is what you get when trying to audit the host from a unprivilegedcontainer. Container support in the kernel is still an ongoing project.-Steve--Linux-audit mailing listhttps://www.redhat.com/mailman/listinfo/linux-audit

Post by Bob BeckThanks for your quick reply.Do you mean that it logs events from within the 1 specific lxc containerin which it is running but not the host VM?

Nope. It would only work as an aggregating server. Meaning it can collectlogs from remote systems. But it cannot collect anything itself. Not from thecontainer nor the host kernel. It can only log what comes across a tcp/ipconnection from another auditd. This is a limitation of the kernel - which isbeing worked on currently.

Post by Bob BeckHi,I am attempting to run auditd in centos7 inside a lxc container.

It can run inside a container only as an aggregating server. Meaning thatit cannot audit the host system, but rather collect logs from remotesystems. To do this, set local_events = no. This was added inaudit-2.5.2.

Post by Bob BeckHere is the log I get when I run auditd -fconfig file /etc/audit/auditd.conf opened for parsinglog_file_parser called with: /var/log/audit.loglog_format_parser called with: RAWlog_group_parser called with: rootpriority_boost_parser called with: 4flush_parser called with: INCREMENTALfreq_parser called with: 20num_logs_parser called with: 5qos_parser called with: lossydispatch_parser called with: /usr/sbin/audispdname_format_parser called with: NONEmax_log_size_parser called with: 6max_log_size_action_parser called with: ROTATEspace_left_parser called with: 75space_action_parser called with: SYSLOGaction_mail_acct_parser called with: rootadmin_space_left_parser called with: 50admin_space_left_action_parser called with: SUSPENDdisk_full_action_parser called with: SUSPENDdisk_error_action_parser called with: SUSPENDtcp_listen_queue_parser called with: 5tcp_max_per_addr_parser called with: 1tcp_client_max_idle_parser called with: 0enable_krb5_parser called with: noGSSAPI support is not enabled, ignoring value at line 30krb5_principal_parser called with: auditdGSSAPI support is not enabled, ignoring value at line 31Started dispatcher: /usr/sbin/audispd pid: 3028type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_tres=successconfig_manager init completeError sending status request (Connection refused)Error sending enable request (Connection refused)type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enableauid=4294967295 pid=3026 uid=0 ses=4294967295subj=system_u:system_r:init_t res=failedUnable to set initial audit startup state to 'enable', exitingThe audit daemon is exiting.Error setting audit daemon pid (Connection refused)

Yep. That is what you get when trying to audit the host from a unprivilegedcontainer. Container support in the kernel is still an ongoing project.-Steve

Post by Bob BeckThanks for your quick reply.Do you mean that it logs events from within the 1 specific lxc containerin which it is running but not the host VM?

Nope. It would only work as an aggregating server. Meaning it can collectlogs from remote systems. But it cannot collect anything itself. Not from thecontainer nor the host kernel. It can only log what comes across a tcp/ipconnection from another auditd. This is a limitation of the kernel - which isbeing worked on currently.-Steve

Post by Bob BeckHi,I am attempting to run auditd in centos7 inside a lxc container.

It can run inside a container only as an aggregating server. Meaning thatit cannot audit the host system, but rather collect logs from remotesystems. To do this, set local_events = no. This was added inaudit-2.5.2.

Post by Bob BeckHere is the log I get when I run auditd -fconfig file /etc/audit/auditd.conf opened for parsinglog_file_parser called with: /var/log/audit.loglog_format_parser called with: RAWlog_group_parser called with: rootpriority_boost_parser called with: 4flush_parser called with: INCREMENTALfreq_parser called with: 20num_logs_parser called with: 5qos_parser called with: lossydispatch_parser called with: /usr/sbin/audispdname_format_parser called with: NONEmax_log_size_parser called with: 6max_log_size_action_parser called with: ROTATEspace_left_parser called with: 75space_action_parser called with: SYSLOGaction_mail_acct_parser called with: rootadmin_space_left_parser called with: 50admin_space_left_action_parser called with: SUSPENDdisk_full_action_parser called with: SUSPENDdisk_error_action_parser called with: SUSPENDtcp_listen_queue_parser called with: 5tcp_max_per_addr_parser called with: 1tcp_client_max_idle_parser called with: 0enable_krb5_parser called with: noGSSAPI support is not enabled, ignoring value at line 30krb5_principal_parser called with: auditdGSSAPI support is not enabled, ignoring value at line 31Started dispatcher: /usr/sbin/audispd pid: 3028type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_tres=successconfig_manager init completeError sending status request (Connection refused)Error sending enable request (Connection refused)type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enableauid=4294967295 pid=3026 uid=0 ses=4294967295subj=system_u:system_r:init_t res=failedUnable to set initial audit startup state to 'enable', exitingThe audit daemon is exiting.Error setting audit daemon pid (Connection refused)

Yep. That is what you get when trying to audit the host from a unprivilegedcontainer. Container support in the kernel is still an ongoing project.-Steve

Post by Bob BeckThanks for your quick reply.Do you mean that it logs events from within the 1 specific lxc containerin which it is running but not the host VM?

Nope. It would only work as an aggregating server. Meaning it can collectlogs from remote systems. But it cannot collect anything itself. Not from thecontainer nor the host kernel. It can only log what comes across a tcp/ipconnection from another auditd. This is a limitation of the kernel - which isbeing worked on currently.-Steve

Post by Bob BeckHi,I am attempting to run auditd in centos7 inside a lxc container.

It can run inside a container only as an aggregating server. Meaning thatit cannot audit the host system, but rather collect logs from remotesystems. To do this, set local_events = no. This was added inaudit-2.5.2.

Post by Bob BeckHere is the log I get when I run auditd -fconfig file /etc/audit/auditd.conf opened for parsinglog_file_parser called with: /var/log/audit.loglog_format_parser called with: RAWlog_group_parser called with: rootpriority_boost_parser called with: 4flush_parser called with: INCREMENTALfreq_parser called with: 20num_logs_parser called with: 5qos_parser called with: lossydispatch_parser called with: /usr/sbin/audispdname_format_parser called with: NONEmax_log_size_parser called with: 6max_log_size_action_parser called with: ROTATEspace_left_parser called with: 75space_action_parser called with: SYSLOGaction_mail_acct_parser called with: rootadmin_space_left_parser called with: 50admin_space_left_action_parser called with: SUSPENDdisk_full_action_parser called with: SUSPENDdisk_error_action_parser called with: SUSPENDtcp_listen_queue_parser called with: 5tcp_max_per_addr_parser called with: 1tcp_client_max_idle_parser called with: 0enable_krb5_parser called with: noGSSAPI support is not enabled, ignoring value at line 30krb5_principal_parser called with: auditdGSSAPI support is not enabled, ignoring value at line 31Started dispatcher: /usr/sbin/audispd pid: 3028type=DAEMON_START msg=audit(1522944040.042:592): op=start ver=2.8.4format=raw kernel=3.10.0-693.17.1.el7.centos.plus.i686 auid=4294967295pid=3026 uid=0 ses=4294967295 subj=system_u:system_r:init_t res=successconfig_manager init completeError sending status request (Connection refused)Error sending enable request (Connection refused)type=DAEMON_ABORT msg=audit(1522944040.043:593): op=set-enableauid=4294967295 pid=3026 uid=0 ses=4294967295subj=system_u:system_r:init_t res=failedUnable to set initial audit startup state to 'enable', exitingThe audit daemon is exiting.Error setting audit daemon pid (Connection refused)

Yep. That is what you get when trying to audit the host from a unprivilegedcontainer. Container support in the kernel is still an ongoing project.-Steve